SeRLoc:  Robust  Localization  for  Wireless 
Sensor  Networks 

LOUKAS  LAZOS  and  RADHA  POOVENDRAN 
University  of  Washington 


Many  distributed  monitoring  applications  of  Wireless  Sensor  Networks  (WSNs)  require  the  location 
information  of  a  sensor  node.  In  this  article,  we  address  the  problem  of  enabling  nodes  of  Wireless 
Sensor  Networks  to  determine  their  location  in  an  untrusted  environment,  known  as  the  secure 
localization  problem.  We  propose  a  novel  range-independent  localization  algorithm  called  SeRLoc 
that  is  well  suited  to  a  resource  constrained  environment  such  as  a  WSN.  SeRLoc  is  a  distributed 
algorithm  based  on  a  two-tier  network  architecture  that  allows  sensors  to  passively  determine  their 
location  without  interacting  with  other  sensors.  We  show  that  SeRLoc  is  robust  against  known 
attacks  on  a  WSNs  such  as  the  wormhole  attack,  the  Sybil  attack,  and  compromise  of  network 
entities  and  anal3dically  compute  the  probability  of  success  for  each  attack.  We  also  compare  the 
performance  of  SeRLoc  with  state-of-the-art  range-independent  localization  schemes  and  show  that 
SeRLoc  has  better  performance. 

Categories  and  Subject  Descriptors:  C.2.1  [Computer-Communication  Networks]:  Network 
Architecture  and  Design — Distributed  networks,  Network  topology 

General  Terms:  Algorithm,  Design,  Performance,  Security 

Additional  Key  Words  and  Phrases:  Range-independent,  secure  localization,  sensor  networks 


1.  INTRODUCTION 

Wireless  ad  hoc  sensor  networks  (WSNs)  are  expected  to  be  low-cost,  self- 
configurable  with  no  predeployed  infrastructure,  and  easy  to  deploy.  Hence, 
such  networks  provide  a  variety  of  consumer  applications  such  as  emergency 
rescue,  disaster  relief,  smart  homes,  and  patient  monitoring,  as  well  as  indus¬ 
trial  applications  such  as  distributed  structural  health  monitoring  and  envi¬ 
ronmental  control,  and  military  applications  such  as  target  identification  and 
tracking. 

Many  of  the  applications  proposed  for  WSNs  require  knowledge  of  the  origin 
of  the  sensed  information.  For  example,  in  a  disaster  relief  operation  using 
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a  WSN  to  locate  survivors  in  a  collapsed  building,  it  is  critical  that  sensors 
report  monitoring  information  along  with  their  location.  Furthermore,  location 
is  assumed  to  be  known  in  many  ad  hoc  network  operations  such  as  routing 
protocols  where  a  family  of  geographically-aided  algorithms  have  been  proposed 
[Basagni  et  al.  1998],  or  security  protocols  where  location  information  is  used  to 
prevent  threats  against  network  services  [Hu  et  al.  2003;  Lazos  and  Poovendran 
2003]. 

Since  WSNs  may  be  deployed  in  hostile  environments  and  operate  unsuper¬ 
vised,  they  are  vulnerable  to  conventional  and  novel  attacks  [Hu  et  al.  2003; 
Karlof  and  Wagner  2003]  aimed  at  interrupting  the  functionality  of  location- 
aware  applications  by  exploiting  the  vulnerabilities  of  the  localization  scheme. 
Though  many  localization  techniques  have  been  proposed  for  wireless  sensor 
networks,  [Bulusu  et  al.  2000;  Nagpal  et  al.  2003;  Niculescu  and  Nath  2001; 
He  et  al.  2003;  Sawides  et  al.  2001;  Priyantha  et  al.  2003;  Capkun  et  al.  2001], 
research  in  secure  location  estimation  is  in  its  infancy. 

Since  sensors  are  hardware  and  power  limited,  we  propose  a  two-tier  net¬ 
work  architecture  for  secure  location  computation.  Our  network  is  comprised 
of  a  small  number  of  nodes  equipped  with  special  hardware  we  call  loca¬ 
tors  and  a  large  number  of  resource  constrained  sensor  devices.  However,  we 
preserve  the  characteristics  of  ad  hoc  networks  by  randomly  deploying  both 
the  sensors  and  the  locators  and  by  allowing  them  to  communicate  in  an  ad 
hoc  mode.  Moreover,  since  distance  measurements  are  susceptible  to  distance 
enlargement/reduction,  we  do  not  use  any  such  measurements  to  infer  the  sen¬ 
sor  location.  We  refer  to  methods  that  are  not  using  distance  measurements 
as  range-independent  localization  schemes  [He  et  al.  2003;  Nagpal  et  al.  2003; 
Niculescu  and  Nath  2001;  Bulusu  et  al.  2000]. 

In  this  article  we  make  the  following  contributions. 

— We  introduce  the  problem  of  secure  localization  in  wireless  sensor  networks 
and  propose  SeRLoc,  a  novel  range-independent  localization  scheme  for 
WSNs  based  on  a  two-tier  network  architecture  that  achieves  decentralized, 
resource-efficient  sensor  localization  and  can  accommodate  limited  sensor 
mobility. 

— We  describe  well  known  security  threats  against  WSNs  such  as  the  wormhole 
attack  [Hu  et  al.  2003;  Papadimitratos  and  Haas  2002],  the  Sybil  attack 
[Douceur  2002;  Newsome  et  al.  2004],  and  compromise  of  network  entities 
and  provide  mechanisms  that  allow  each  sensor  to  determine  its  location  even 
in  the  presence  of  these  threats.  Furthermore,  we  analytically  evaluate  the 
probability  of  success  for  each  type  of  attack  using  spatial  statistics  theory 
[Cressie  1993]. 

— Based  on  our  performance  evaluation,  we  show  that  SeRLoc  localizes  sensors 
with  higher  accuracy  than  state-of-the-art  decentralized  range-independent 
localization  schemes  [He  et  al.  2003;  Nagpal  et  al.  2003;  Bulusu  et  al.  2000; 
Niculescu  and  Nath  2001]  and  is  robust  against  varying  sources  of  error. 

The  remainder  of  the  article  is  organized  as  follows.  In  Section  2,  we  present 
related  work.  In  Section  3,  we  introduce  the  secure  localization  problem  and 
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state  our  network  model.  Section  4  describes  SeRLoc,  and  Section  5  presents 
a  threat  analysis.  In  Section  6,  we  evaluate  and  compare  the  performance  of 
SeRLoc  with  other  range-independent  localization  schemes.  Section  7  presents 
our  conclusions  and  future  directions. 


2.  RELATED  WORK 

While  an  extensive  literature  exists  on  the  problem  of  localization  in  a  trusted 
environment,  secure  localization  in  wireless  sensor  networks  is  a  fairly  unex¬ 
plored  area  of  research.  In  fact,  to  the  best  of  our  knowledge  ours  is  the  first 
work  to  address  the  problem  of  estimating  the  position  of  the  sensors  in  a  hostile 
environment  using  range-independent  methods.  The  only  other  peer  reviewed 
work  that  addresses  the  problem  of  secure  position  estimation  in  WSNs  is  a  se¬ 
cure  scheme  for  range-dependent  localization  [Capkun  and  Hubaux  2005]  and 
a  preliminary  version  of  our  work  [Lazos  and  Poovendran  2004]. 

Localization  schemes  can  be  classified  into  range-dependent  and  range- 
independent-based  schemes.  In  range-dependent  schemes,  nodes  determine 
their  location  based  on  distance  or  angle  estimates  to  some  reference  points 
with  known  coordinates.  Such  estimates  may  be  acquired  through  different 
methods  such  as  time  of  arrival  (TOA)  [Capkun  et  al.  2001;  Hofmann- Wellenhof 
et  al.  1997],  time  difference  of  arrival  (TDOA)  [Sawides  et  al.  2001;  Priyantha 
et  al.  2003],  or  angle  of  arrival  (AOA)  [Niculescu  and  Nath  2003]. 

In  the  range-independent  localization  schemes,  nodes  determine  their  lo¬ 
cation  without  any  time,  angle,  or  power  measurements.  Bulusu  et  al.  [2000] 
proposed  an  outdoor  localization  scheme  called  Centroid  where  nodes  estimate 
their  position  as  the  centroid  of  the  locations  of  all  the  beacons  transmitted 
from  reference  points.  The  Centroid  method  is  easy  to  implement  and  incurs 
low  communication  cost.  However,  it  results  in  a  crude  approximation  of  node 
location.  A  variant  of  Centroid  using  multiple  power  levels  provides  much  better 
localization  accuracy  than  Centroid  at  the  expense  of  increased  communication 
cost  [Bulusu  2002]. 

Niculescu  and  Nath  [2001]  proposed  DV-hop  where  each  node  determines  the 
number  of  hops  to  nodes  with  known  locations  called  landmarks,  using  a  dis¬ 
tance  vector-like  method.  Once  the  number  of  hops  to  at  least  three  landmarks 
is  known,  nodes  use  an  average  hop  size  estimate  to  determine  their  distance  to 
the  landmarks  and  apply  multilateration  to  determine  their  absolute  location. 
Nagpal  et  al.  [2003]  followed  a  similar  approach  to  DV-hop  except  that  they 
compute  the  average  hop  size  offline  using  an  approximate  formula  [Kleinrock 
and  Silvester  1978]  with  the  assumption  that  every  network  node  has  at  least 
a  neighborhood  of  15  nodes. 

He  et  al.  [2003]  proposed  APIT,  a  range-independent  localization  scheme 
that  localizes  nodes  based  on  beacons  transmitted  from  reference  points  called 
anchors  and  neighbor  node  information.  In  APIT,  a  node  s  performs  a  test  to 
determine  whether  it  is  inside  the  triangle  defined  by  a  3-tuple  of  anchors  heard 
by  the  node.  The  test  is  repeated  for  all  3-tuples  of  anchors  heard  by  s,  and 
the  location  is  computed  as  the  center  of  gravity  of  the  triangles’  overlapping 
region. 
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Two  methods  have  heen  proposed  that  utilize  connectivity  information  to 
determine  the  node  location.  Doherty  et  al.  [2001]  formulated  a  semidefinite 
program  based  on  the  connectivity-induced  and  angular  constraints  in  order 
to  obtain  the  optimal  position  estimates.  Shang  et  al.  [2003]  used  multidimen¬ 
sional  scaling  to  acquire  an  arbitrary  rotation  of  the  network  topology.  Fur¬ 
thermore,  if  any  three  nodes  know  their  location,  the  network  topology  can  be 
mapped  to  the  absolute  node  location.  Since  both  schemes  in  Doherty  et  al. 
[2001]  and  Shang  et  al.  [2003]  are  range-based  localization  techniques,  they 
are  not  used  for  comparison  in  the  performance  evaluation. 

3.  PROBLEM  STATEMENT  AND  NETWORK  MODEL 

3.1  Problem  Statement 

We  study  the  problem  of  enabling  nodes  of  a  WSN  to  determine  their  location 
even  in  the  presence  of  malicious  adversaries.  This  problem  will  be  referred  to 
as  Secure  Localization.  Apart  from  the  secure  localization  problem,  location 
verification  [Sastry  et  al.  2002],  location  privacy  [Gruteser  et  al.  2003],  and 
secure  location  reporting  are  essential  components  of  any  secure  location  ser¬ 
vice.  Enabling  a  sensor  to  securely  compute  its  location  is  a  different  problem 
from  securely  reporting  the  location  of  a  sensor,  guaranteeing  its  privacy,  or 
verifying  its  location  claim.  Secure  location  reporting,  privacy,  and  verification, 
while  important  areas  in  their  own  right,  are  not  addressed  in  this  article.  We 
consider  secure  localization  in  the  context  of  the  following  design  goals:  (a)  de¬ 
centralized  implementation,  (b)  resource  efficiency,  (c)  range-independence,  and 
(d)  robustness  against  security  threats. 

3.2  Network  Model 

Network  Setup.  We  assume  a  two-tier  network  architecture  with  a  set  of  sensors 
S  of  unknown  location  randomly  deployed  with  a  density  within  an  area  A, 
and  a  set  of  specially  equipped  nodes  L  we  call  locators,  with  known  location^ 
and  orientation,  also  randomly  deployed  with  a  density  pl. 

Antenna  Model.  We  assume  that  sensors  are  equipped  with  omnidirectional 
antennas  and  transmit  with  a  power  Pg,  while  locators  are  equipped  with  M 
directional  antennas  with  a  directivity  gain  G  >  1,  and  can  transmit  with 
a  power  Pl  >  Ps-  Let  the  signal  attenuation  over  space  be  proportional  to 
some  exponent  y  of  the  distance  d  between  two  nodes,  times  the  antenna  di¬ 
rectivity  gain  G,  (G  =  1  for  omnidirectional  antennas),  that  is,  ^  =  cG‘^d~^ , 
with  2  <  K  <  5,  where  c  denotes  a  proportionality  constant,  and  Pr  denotes 
the  minimum  required  receive  power  for  communication.  If  r^g  denotes  the 
sensor-to-sensor  communication  range,  and  rgL  denotes  the  sensor-to-locator 


^We  presume  that  the  locators  acquire  their  position  either  through  manual  insertion  or  through 
GPS  receivers  [Hofmann-Wellenhof  et  al.  1997].  Though  GPS  signals  can  be  spoofed,  knowledge 
of  the  coordinates  of  several  nodes  is  essential  to  achieve  any  kind  of  node  localization  for  any 
localization  scheme. 
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Table  I. 


Receiver  || 

Sender 

Sensor 

Locator 

Sensor 

r 

rGy 

Locator 

R 

Ro'y 

(The  four  communication  modes  between  sensors  and  locators  with  each 
entry  indicating  the  communication  range  for  that  mode.  The  y  denotes 
the  pathloss  parameter  and  G  denotes  the  antenna  directivity  gain.) 


communication  range  then, 

Y^c{rssr\  ^^cGirsL)-^.  (1) 

From  (1),  it  follows  that  Fsl  —  rgsGr .  Similarly,  if  fls  denotes  the  locator-to- 

sensor  communication  range,  the  locator-to-locator  communication  range  r^L 

2 

is  equal  to  —  ruG^ .  For  notational  simplicity  we  will  refer  to  Vgg  as  r,  and 
to  as  R .  Table  I  summarizes  the  four  possible  communication  modes  with 
the  appropriate  ranges  indicated. 

To  achieve  a  communication  range  ratio  y,  locators  need  to  transmit  with 
power  Pl  —  {yYiPs/G).  Given  that  sensors  are  low  power  devices,  locators  with 
higher  transmitting  power  capabilities  is  a  reasonable  assumption.  A  typical 
sensor  has  a  communication  range  of  3  ~  SOtto,  with  a  maximum  transmission 
power  of  Ps  =  0.75mW  [MICA].  Hence,  locators  need  to  transmit  with  a  power 
Pg  =  75mW  to  achieve  a  communication  range  ratio  A  =  iQ  when  y  —  2,  even 
without  the  use  of  directional  antennas. 

Also  note  that,  though  the  size  of  directional  antennas  is  a  concern  for  the 
present  operational  frequency  of  sensors,  the  foreseeable  increase  in  operat¬ 
ing  frequency  will  facilitate  the  use  of  directional  antennas  at  the  locators.  At 
2.4GHz  and  a  half-wavelength  element  spacing,  the  size  of  an  8-element  cylin¬ 
drical  array  would  be  of  radius  8cm.  At  the  5GHz  band,  the  size  of  an  8-element 
antenna  would  have  a  radius  of  3.3cm  [Ramanathan  2001].  Since  the  locators 
are  assumed  to  be  of  bigger  size  than  the  sensors,  equipping  locators  with  di¬ 
rectional  antennas  is  a  feasible  solution. 

System  Parameters.  Since  both  locators  and  sensors  are  randomly  and  in¬ 
dependently  deployed,  it  is  essential  to  select  the  system  parameters  so  that 
locators  can  communicate  with  sensors.  The  random  deployment  of  the  loca¬ 
tors  with  a  density  (|  ■  |  denotes  the  cardinality  of  a  set)  is  equivalent 

to  a  sequence  of  events  following  a  homogeneous  Poisson  point  process  of  rate 
Pl  [Cressie  1993].  The  random  deployment  of  sensors  with  a  density  =  X’ 
is  equivalent  to  a  random  sampling  of  the  area  A  with  rate  p^  [Cressie  1993]. 
Making  use  of  Spatial  Statistics  theory  [Cressie  1993],  if  LHg  denotes  the  set 
of  locators  heard  by  a  sensor  s,  that  is,  within  range  R  from  s,  the  probabil¬ 
ity  that  s  hears  exactly  k  locators,  given  that  the  locators  are  randomly  and 
independently  deployed,  is  given  by  the  Poisson  distribution: 

P{\LH,\  =  (2) 

k\ 
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Based  on  (2),  we  compute  the  probability  for  every  sensor  to  hear  at  least  k 
locators  P{\LHs\  >  k)  : 

P{\LHs\  >k,Vs  e  S)=  .  (3) 

Equation  (3)  allows  the  choice  of  pl,  R  so  that  a  sensor  hears  at  least  k  loca¬ 
tors  with  any  desired  probability  The  expected  number  of  locators  heard  by  each 
node,  E{\LHs\)  —  is  significantly  higher  than  k.  For  example,  for  R  — 

20m,  to  allow  every  sensor  to  hear  at  least  4  locators  with  probability  Pi\LHs\  > 
4,  Vs  e  S)  =  0.99,  we  need  a  pl  —  0.02  locators/m^.  For  p^  —  0.02  locators/m^, 
E{\LHs\)  —  25.13.  Hence,  P(\LHs\  >k,'is  e  S)  is  a  more  strict  requirement 
than  E(\LHs\)  —  k.  Derivations  of  (2)  and  (3)  are  presented  in  Appendix  1. 

Attacks  Not  Addressed.  In  this  article,  we  do  not  consider  attacks  against  the 
physical  layer  such  as  frequency  jamming.  Spread  spectrum  [Pickholtz  et  al. 
1982]  and  coding  [Wicker  and  Bartz  1994]  are  known  to  be  efficient  mechanisms 
to  shield  the  physical  layer  against  jamming  attacks.  Also,  we  do  not  consider 
any  attack  against  the  Medium  Access  Control  (MAC)  protocol  that  may  lead 
to  a  denial-of-service  (DoS).  In  fact,  we  assume  that  an  adversary  will  attempt 
to  displace  the  sensors  without  being  detected  and  hence,  do  not  examine  DoS 
attacks. 

4.  SERLOC:  SECURE  RANGE-INDEPENDENT  LOCALIZATION  SCHEME 

In  this  section,  we  present  the  SEcure  Range-independent  Localization 
scheme  (SeRLoc)  that  enables  sensors  to  determine  their  location  based  on 
beacon  information  transmitted  by  the  locators  even  in  the  presence  of  security 
threats. 

4.1  Location  Determination 

In  SeRLoc,  sensors  determine  their  location  based  on  the  beacon  information 
transmitted  by  the  locators.  Figure  1(a)  illustrates  the  idea  behind  the  scheme. 
Each  locator  transmits  different  beacons  at  each  antenna  sector  with  each  bea¬ 
con  containing  (a)  the  locator’s  coordinates,  and  (b)  the  angles  of  the  antenna 
boundary  lines  with  respect  to  a  common  global  axis. 

If  a  sensor  receives  a  beacon  transmitted  at  a  specific  antenna  sector  of  a 
locator  Li ,  it  has  to  be  included  within  that  sector.  Given  the  locator-to-sensor 
communication  range  R ,  the  coordinates  of  the  transmitting  locators,  and  the 
sector  boundary  lines  provided  by  the  beacons,  each  sensor  determines  its  lo¬ 
cation  as  the  center  of  gravity  (CoG)  of  the  overlapping  region  of  the  different 
sectors.  The  CoG  is  the  least  square  error  solution  given  that  a  sensor  can  lie 
with  equal  probability  at  any  point  in  the  overlapping  region.  In  Figure  1(a), 
the  sensor  hears  beacons  from  locators  Li  ~  L4  and  determines  its  position  as 
the  CoG  of  the  overlapping  region  between  the  four  antenna  sectors.  We  now 
present  the  algorithmic  details  of  SeRLoc. 

Step  1:  Collection  of  localization  information.  In  Step  1,  the  sensor  collects 
information  from  all  the  locators  that  it  can  hear.  A  sensor  s  can  hear  all  locators 
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KM  Overlapping  Region 


O  Locator  L 


(b) 


Fig.  1.  (a)  The  sensor  hears  locators  Li  ~  L4  and  estimates  its  location  as  the  Center  of  Gravity 
(CoG)  of  the  overlapping  region  of  the  sectors  that  include  it.  (b)  Determination  of  the  search  area. 


L;  e  L  that  lie  within  a  circle  of  radius  R,  centered  at  s. 

LHg  =  {Li  :  ||s  —  Li\\  <  R,  Li  e  L}.  (4) 

Step  2:  Search  area.  In  Step  2,  the  sensor  computes  a  search  area  for  its 
location.  Let  Xmin,  ^max,  i^max  denote  the  minimum  and  the  maximum 
locator  coordinates  form  the  set  LHg. 

Xnim=  min  Xi,  Z^ax  =  max  Xi,  Ymin  =  min  Yj,  Y^ax  =  max  Yj.  (5) 

r  jf'F g  LidzhjH s  j  f-Y jf!' . 

Since  every  locator  of  set  LH^  needs  to  he  within  a  range  R  from  sensor  s,  if 
s  can  hear  locator  Li  with  coordinates  (Xmin,  Yj),  it  has  to  he  located  left  of 
the  vertical  boundary  of  (Xmin  +  R).  Similarly,  s  has  to  he  located  right  of  the 
vertical  boundary  of  iX^s^—R),  below  the  horizontal  boundary  of  (YminY-R ),  and 
above  the  horizontal  boundary  of  (Ymav  —  R).  The  dimensions  of  the  rectangular 
search  area  are  {2R  —dx)  x  (22?  —dy),  where  dx,  dy  are  the  horizontal  distance 
dx  =  .Ymax  —  -Ymin  <  22?,  and  the  vertical  distance  dy  =  Ymax  —  Ymin  <  22?, 
respectively.  In  Figure  1(b),  we  show  the  search  area  for  the  network  setup  in 
Figure  1(a). 

Step  3:  Overlapping  region-Majority  vote.  In  Step  3,  sensors  determine  the 
overlapping  region  of  all  sectors  they  hear.  Since  it  would  be  computationally  ex¬ 
pensive  for  each  sensor  to  analytically  determine  the  overlapping  region  based 
on  the  line  intersections,  we  employ  a  grid  scoring  system  that  defines  the 
overlapping  region  based  on  majority  vote. 

Grid  score  table.  The  sensor  places  a  grid  of  equally  spaced  points  within  the 
rectangular  search  area  as  shown  in  Figure  2(a).  For  each  grid  point,  the  sensor 
holds  a  score  in  a  grid  score  table  with  initial  values  equal  to  zero.  For  each  grid 
point,  the  sensor  executes  the  grid-sector  test  detailed  in  the  following  to  decide 
if  the  grid  point  is  included  in  a  sector  heard  by  a  locator  of  set  LHg.  If  the  grid 
score  test  is  positive,  the  sensor  increments  the  corresponding  grid  score  table 
value  by  one,  otherwise  the  value  remains  unchanged.  This  process  is  repeated 
for  all  locators  heard  LHg  and  all  the  grid  points.  The  overlapping  region  is 
defined  by  the  grid  points  that  have  the  highest  score  in  the  grid  score  table. 
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O  Locator  t  Grid  Score  Table 


—  Estimation  Error 


(a) 


Fig.  2.  (a)  Steps  3,4:  Placement  of  a  grid  of  equally-spaced  points  in  the  search  area  and  the 
corresponding  grid  score  table.  The  sensor  estimates  its  position  as  the  centroid  of  all  grid  points 
with  the  highest  score,  (b)  Step  3:  Grid-sector  test  for  a  point  g  of  the  search  area. 


In  Figure  2(a),  we  show  the  grid  score  table  and  the  corresponding  overlapping 
region. 

Note  that  due  to  the  finite  grid  resolution,  the  use  of  grid  points  for  the 
definition  of  the  overlapping  region  induces  error  in  the  calculation.  The  reso¬ 
lution  of  the  grid  can  be  increased  to  reduce  the  error  at  the  expense  of  energy 
consumption  due  to  the  increased  processing  time. 

Grid-sector  test.  A  point  g  :  {xg,  yg)  is  included  in  a  sector  of  angles  [9\,  62] 
originating  from  locator  Li  if  it  satisfies  two  conditions: 

Gi  :  llg'  —  LiW  <  R ,  C2  01  <  (p  <  021  (6) 

where  cp  is  the  slope  of  the  line  connecting  g  with  Li.  Note  that  the  sensor 
does  not  have  to  perform  any  angle-of-arrival  (AOA)  measurements.  Both  the 
coordinates  of  the  locators  and  the  grid  points  are  known,  and  hence  the  sensor 
can  analytically  calculate  cp.  In  Figure  2(b),  we  illustrate  the  grid-sector  test 
with  all  angles  measured  with  reference  to  the  x  axis. 

Step  4:  Location  estimation.  The  sensor  determines  its  location  as  the  cen¬ 
troid  of  all  the  grid  points  that  define  the  overlapping  region: 

(1  n  n  \ 

~  y  ]  ^gi  ’  ~  ^  ^  1  > 

^  i=l  ^  i=l  j 

where  n  is  the  number  of  grid  points  of  the  overlapping  region,  and  {xg.,  y g^) 
are  the  coordinates  of  the  grid  points. 


4.2  Accommodating  Node  Mobility 

In  the  case  of  a  mobile  WSN,  both  the  locators  and  the  sensors  need  to  update 
their  current  location  estimation.  While  locators  can  acquire  their  position  us¬ 
ing  external  means  (either  via  satellites,  or  GPS-enabled  fly-over  nodes),  sen¬ 
sors  still  rely  on  locators  to  update  their  position.  To  allow  sensors  to  reestimate 
their  location,  locators  need  to  periodically  broadcast  new  beacons  with  their 
coordinates  and  sector  information. 
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4.2.1  Update  Frequency  of  the  Localization  Information.  Though  sensors 
passively  determine  their  location  via  the  broadcasted  beacons  (no  informa¬ 
tion  exchange  between  sensors  occurs),  we  want  to  broadcast  beacons  as  infre¬ 
quently  as  possible  in  order  to  minimize  the  communication  overhead  at  the 
locators  and  the  computational  overhead  at  the  sensors.  On  the  other  hand,  the 
updates  need  to  be  frequent  enough  to  ensure  a  localization  error  within  the  de¬ 
sired  bound.  The  update  frequency  of  the  localization  information  is  determined 
by  the  mobility  model  adopted  and  the  sensor  hardware  capabilities. 

The  mobility  model  indicates  how  frequently  sensors  move  from  one  location 
to  the  other  and  need  to  recompute  their  location.  Though  several  mobility 
models  can  characterize  node  movement  in  wireless  ad  hoc  networks  [Camp 
et  al.  2002],  the  mobility  of  energy-constrained  sensors  is  expected  to  be  rather 
limited.  Hence,  it  is  reasonable  to  assume  a  limited  mobility  model  such  as 
the  random  waypoint  mobility  model  [Camp  et  al.  2002],  according  to  which 
sensors  pause  at  one  location  for  a  specific  time  interval  before  moving  towards 
a  random  direction  with  a  randomly  chosen  speed  between  [Umin,  Umax]  ■  If  Tps 
denotes  the  pausing  interval  of  a  sensor,  the  minimum  rate  at  which  the  locators 
need  to  broadcast  beacons  is  fu  assuming  that  the  pausing  interval  Tps 

is  much  longer  than  the  time  interval  in  which  a  sensor  moves. 

Furthermore,  mobile  sensors  may  be  equipped  with  hardware  capable  of 
providing  relative  positioning  known  as  dead  reckoning.  Mobile  units  can  de¬ 
termine  their  relative  position  using  accelerometers  to  measure  the  distance 
traveled  and  gyroscopes  to  measure  the  change  in  direction  [Yazdi  et  al.  1998]. 
A  mobile  sensor  can  utilize  its  last  absolute  position  estimate  computed  via  the 
beacon  information  and  the  relative  position  measurements  to  dynamically  up¬ 
date  its  location  without  new  beacons  being  transmitted.  Such  relative  location 
estimates  are  affected  by  both  systematic  and  nonsystematic  error. 

Unlike  nonsystematic  error  that  is  introduced  by  random  sources,  we  can 
compensate  for  the  systematic  error  by  calibrating  the  system.  The  calibration 
can  be  achieved  by  comparing  the  position  estimated  via  dead  reckoning  with 
the  one  estimated  via  the  beacon  broadcasting.  If  the  relative  positioning  system 
requires  calibration  every  m  moves  of  the  mobile  sensor,  the  locators  need  to 
broadcast  beacons  with  a  frequency  not  lower  than  fu  >  . 

4.3  Security  Mechanisms  of  SeRLoc 

We  now  describe  the  security  mechanisms  of  SeRLoc  that  facilitate  sensor  lo¬ 
calization  in  the  presence  of  security  threats. 

Encryption.  All  beacons  transmitted  from  locators  are  encrypted  with  a  glob¬ 
ally  shared  symmetric  key  Kq.  In  addition,  every  sensor  s  shares  a  symmetric 
pairwise  key  with  every  locator  Li,  also  preloaded.  Since  the  number  of 
locators  deployed  is  relatively  small,  the  storage  requirement  at  the  sensor 
side  is  within  the  storage  constraints  (a  total  of  |L|  keys).  For  example,  mica 
motes  [MICA]  have  128Kbytes  of  programmable  flash  memory.  Using  64-bit 
RC5  [Rivest  1995]  symmetric  keys  and  for  a  network  with  400  locators,  a  total 
of  3.2Kbytes  of  memory  is  required  to  store  all  the  keys  of  the  sensor  with  every 
locator.  In  order  to  save  storage  space  at  the  locator  (locators  would  have  to  store 
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|S|  keys),  pairwise  keys  K^'  are  derived  by  a  master  key  K^.,  using  a  pseudo¬ 
random  function  h  [Stinson  2002],  and  the  unique  sensor  IDg-.  K^‘  =  (IDs). 
In  Karlof  et  al.  [2004],  it  was  reported  that  a  software  implementation  of  RC5  re¬ 
quires  0.26ms  execution  time  and  an  increase  in  energy  consumption  of  l%-4%. 
It  was  also  noted  that  a  hardware  implementation  of  RC5  can  reduce  both  the 
execution  time  and  energy  consumption  for  performing  encryption/decryption. 

Based  on  the  size  of  the  network  deployment  region,  one  can  compute  the 
number  of  locators  required  for  sufficient  network  coverage.  However,  the  de¬ 
ployment  of  additional  locators  may  by  required  in  order  to  improve  the  local¬ 
ization  accuracy  at  some  parts  of  the  network,  expand  it,  or  replace  locators  that 
have  failed.  From  the  security  point  of  view,  the  problem  of  adding  new  locators 
to  the  system  reduces  to  the  problem  of  establishing  pairwise  keys  between  the 
new  locators  and  each  of  the  sensors  that  are  already  deployed. 

Since  sensors  are  hardware  and  energy  limited  devices,  solutions  based  on 
public  key  cryptography  or  symmetric  key  requiring  exponentiation  [Stinson 
2002]  cannot  be  employed.  Instead,  we  can  achieve  pairwise  key  establishment 
between  each  sensor  and  the  new  locators  by  preloading  the  sensors  with  more 
keys  than  the  number  of  locators  initially  deployed.  The  redundant  keys  can 
be  later  used  as  pairwise  keys  between  sensors  and  the  new  locators.  Another 
approach  is  to  load  sensors  with  some  secret  quantity  only  known  to  each  sensor 
and  the  authority  that  deploys  the  network.  The  deployment  authority  can  then 
load  the  new  locator-sensor  pairwise  keys  individually  to  each  sensor,  using  the 
secret  quantity. 

In  the  case  where  the  network  grows  large  enough  so  that  the  pairwise  keys 
of  all  locators  cannot  be  stored  at  the  sensor’s  memory,  the  network  can  be 
partitioned  into  clusters  where  sensors  are  loaded  only  with  the  pairwise  keys 
shared  with  the  locators  within  each  cluster.  Adopting  the  clustered  approach 
ensures  scalability  for  very  large  networks.  To  give  a  sense  of  scale,  a  sensor 
needs  a  total  of  3.2Kbytes  of  memory  to  store  400  64-bit  RC5  keys,  sufficient  for 
secure  communication  with  400  locators.  If  the  locator-to-sensor  communica¬ 
tion  range  is  R  —  100m  and  the  400  locators  are  randomly  dispersed  within  an 
areaof4^7TO^  (pL  —  10“"^  locators/m^),  each  sensor  is  able  to  hear  ~  3.141 

locators  on  average.  For  a  network  deployed  with  a  sensor  density  ps  —  0.01 
sensors/m^  which  corresponds  to  each  sensor  being  able  to  communicate  on  av¬ 
erage  with  PsTtr^  —  3.141  sensors  for  r  —  10m,  we  can  accommodate  a  network 
of  40,000  sensors.  For  larger  sensor  density  usually  required  to  guarantee  net¬ 
work  connectivity  and  other  network  properties/functions,  the  supported  sensor 
network  size  can  be  even  bigger. 

Locator  ID  Authentication.  The  use  of  a  globally  shared  key  for  the  beacon 
encryption  allows  a  malicious  sensor  to  inject  bogus  beacons  into  the  network, 
in  the  absence  of  additional  security  mechanisms.  To  prevent  sensors  from 
broadcasting  bogus  beacons,  we  require  sensors  to  authenticate  the  source  of 
the  beacons  using  collision-resistant  hash  functions  [Stinson  2002]. 

We  use  the  following  scheme  based  on  efficient  one-way  hash  chains 
[Lamport  1981],  to  provide  locator  ID  authentication.  Each  locator  Li  has  a 
unique  password  PWi,  blinded  with  the  use  of  a  collision-resistant  hash  func¬ 
tion  such  as  SHAl  [Stinson  2002].  Due  to  the  collision  resistance  property, 
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it  is  computationally  infeasible  for  an  attacker  to  find  a  PWj,  such  that 
HiPWi)  =  HiPWj),  PWi  ^  PWj.  The  hash  sequence  is  generated  using  the 
following  equation: 

H°^PWi,  f  =  l, 

with  n  being  a  large  number  and  never  revealed  to  any  sensor.  Each  sensor 
is  preloaded  with  a  table  containing  the  ID  of  each  locator  and  the  correspond¬ 
ing  hash  value  H"-(PWi).  For  a  network  with  400  locators,  we  need  9  bits  to 
represent  locator  IDs.  In  addition,  collision-resistant  hash  functions  such  as 
SHAl  [Stinson  2002]  have  a  160-bit  output.  Hence,  the  storage  requirement  of 
the  hash  table  at  any  sensor  is  8.45Kbytes.^  To  reduce  the  storage  needed  at  the 
locators,  we  employ  an  efficient  storage/computation  method  for  hash  chains  of 
time/storage  complexity  Oflog^C/z))  [Coppersmith  and  Jakobsson  2002]. 

The  yth  broadcasted  beacon  from  locator  L;  includes  the  hash  value 
H'^-j (PWi),  along  with  the  index  j.  Every  sensor  that  hears  the  beacon  ac¬ 
cepts  the  message  only  if  H{H^~j^^{PWi))  —  H’^~^ (PWi).  After  verification,  the 
sensor  replaces  H"-~->^^(PWi)  with  H"-~j(PWi)  in  its  memory  and  increases  the 
hash  counter  by  one  so  as  to  perform  only  one  hash  operation  in  the  reception 
of  the  next  beacon  from  the  same  locator  Li .  The  index  j  is  included  in  the  bea¬ 
cons  so  that  sensors  can  resynchronize  with  the  current  published  hash  value 
in  case  of  loss  of  some  intermediate  hash  values.  The  beacon  of  locator  Li  has 
the  following  format: 

L,  :  {(Xi,Y0  II  (01,02)  II  (H^-PPW,))  ||  j  ||  Wl,}k„ 

where  ||  denotes  the  concatenation  operation  and  {m}K  denotes  the  encryption 
of  message  m  with  key  K.  Note  that  our  method  does  not  provide  end-to-end 
locator  authentication,  but  only  guarantees  authenticity  for  the  messages  re¬ 
ceived  from  locators  directly  heard  to  a  sensor.  This  condition  is  sufficient  to 
secure  our  localization  scheme  against  possible  attacks.  The  pseudocode  for 
SeRLoc  is  presented  in  Figure  3. 

5.  THREAT  ANALYSIS 

In  this  Section,  we  describe  possible  security  threats  against  SeRLoc  and 
show  that  SeRLoc  is  resilient  against  these  threats.  Note  that  our  goal  is 
not  to  prevent  the  attacks  that  may  be  harmful  in  many  network  protocols, 
but  to  allow  sensors  to  determine  their  location,  even  in  the  presence  of  such 
attacks. 

5.1  The  Wormhole  Attack 

5.1.1  Threat  Model.  To  mount  a  wormhole  attack,  an  attacker  initially 
establishes  a  direct  link  referred  to  as  a  wormhole  link  between  two  points  in 
the  network.  Once  the  wormhole  link  is  established,  the  attacker  eavesdrops 
messages  at  one  end  of  the  link,  referred  to  as  the  origin  point,  tunnels  them 


^The  required  storage  at  each  sensor  in  order  to  store  400  64-bit  RC5  keys,  400  160-bit  SHAl  hash 
values  for  secure  communication  with  400  locators  is  now  11.65  Kbytes. 
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SeRLoc:  Secure  Range-Independent  Localization  Scheme 
L  :  broadcast  L;  :  { (Xj,  Yj)  ||  {6>i,  62)  ||  {PWi))  ||  j  ||  IDl^ 

LH,  =  [Li  :  ||s  -  Lill  <  i?)  n  [H(H'‘-HPWi))  =  H'‘-j^HPWi)] 

S  .  define  -A.9  =  [X  max  R  7  X  min  R  7  Y max  R  7  Y min  “L  ] 
for  k=l:res 
for  w=l:res 

g(k,  w)  =  {Xg.,  Jgf)  =  (^Xmax  -  R  +  k  7  Ymax  “  R  +  W  ^ 

for  z  =  1  :  \LHs  \ 

if{\\g(k,w)-L^\\  <  ^  Yg{k,w)  <  62] 

GST{k7w)  =  GST{k,w)  +  1 
MGs  =  {gik,  w) :  {k,  w]  =  argmax  GST) 


S  .  (.Xest7  y estl  — 


\MGs\  ^  \MGs\  \ 

W^\  ^*7 


Fig.  3.  The  pseudocode  of  SeRLoc. 


Fig.  4.  (a)  Wormhole  attack:  an  attacker  records  beacons  in  area  B,  tunnels  them  via  the  wormhole 
link  in  area  A,  and  rebroadcasts  them,  (b)  Computation  of  the  common  area  Ac ,  where  locators  are 
heard  to  both  s,  O. 

through  the  wormhole  link  and  replays  them  at  the  other  end,  referred  to  as 
the  destination  point.  The  wormhole  attack  is  very  difficult  to  detect  since  it  is 
launched  without  compromising  any  host  or  the  integrity  and  authenticity  of 
the  communication  [Hu  et  al.  2003;  Papadimitratos  and  Haas  2002]. 

In  the  case  of  SeRLoc,  an  attacker  records  the  beacons  transmitted  from 
locators  at  the  origin  point  and  replays  them  at  the  destination  point,  thus 
providing  false  localization  information  to  the  sensors  attacked.  In  Figure  4(a), 
the  attacker  records  beacons  at  region  B,  tunnels  them  via  the  wormhole  link 
in  region  A,  and  replays  them,  thus  leading  sensor  s  to  believe  that  it  can  hear 
locators  (Li  ~  Lg). 

5.1.2  Detecting  Wormholes  in  SeRLoc.  We  now  show  how  a  sensor  can  de¬ 
tect  a  wormhole  attack  using  two  properties:  the  single  message ! sector  per 
locator  property  and  the  communication  range  constraint  property. 

Single  Message  !  Sector  per  Locator  Property.  The  origin  point  O  of  the  worm- 
hole  attack  defines  the  set  of  locators  LH^  replayed  to  the  sensor  s  under  attack. 
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Fig.  5.  (a)  Single  message/sector  per  locator  property:  a  sensor  s  cannot  hear  two  messages  au¬ 
thenticated  with  the  same  hash  value,  (b)  Communication  range  violation  property:  a  sensor  s 
cannot  hear  two  locators  more  than  2R  apart,  (c)  Combination  of  the  two  properties  for  wormhole 
detection. 


The  location  of  the  sensor  defines  the  set  of  locators  LH^  directly  heard  to  the 
sensor  s,  withLHg  =  LH^  U  LH^ .  Based  on  the  single  message/sector  per  locator 
property  we  show  that  the  wormhole  attack  is  detected  when  LH^  n  LHf  ^  0. 

Lemma  5.1.  Single  message  per  locator  j  sector  property:  reception  of  multiple 
messages  authenticated  with  the  same  hash  value  is  due  to  replay,  multipath 
effects,  or  imperfect  sectorization. 

Proof.  In  the  absence  of  any  attack,  it  is  feasible  for  a  sensor  to  hear  multi¬ 
ple  sectors  due  to  multipath  effects.  In  addition,  a  sensor  located  at  the  bound¬ 
ary  of  two  sectors  can  also  hear  multiple  sectors  even  if  there  is  no  multipath 
or  attack.  We  assume  that  all  sectors  are  transmitted  simultaneously,  and  the 
same  but  fresh  hash  value  is  used  to  authenticate  them  per  beacon  transmis¬ 
sion.  Hence,  sensors  will  only  accept  the  first  message  arriving  from  any  sector 
of  the  same  locator  per  transmission. 

Due  to  the  use  of  an  identical  but  fresh  hash  in  all  sectors  per  transmission, 
if  an  adversary  replays  a  message  from  any  sector  of  a  locator  directly  heard 
by  the  sensor  under  attack,  the  sensor  will  have  already  received  the  hash  via 
the  direct  path  and,  hence,  detect  the  attack  and  reject  the  message.  □ 

If  we  consider  reception  of  multiple  messages  containing  the  same  hash  value 
due  to  multipath  effects  or  imperfect  sectorization  to  be  a  replay  attack,  a  sensor 
will  always  assume  it  is  under  attack  when  it  receives  messages  with  the  same 
hash  value.  Hence,  an  adversary  launching  a  wormhole  attack  will  always  be 
detected  if  it  replays  a  message  from  locator  Li  e  LHf ,  that  is,  if  LH^  n  LH^  ^ 
0.  In  Figure  5(a),  As  denotes  the  area  where,  Lj  e  LH^  (circle  of  radius  R 
centered  at  s),  Ao  denotes  the  area  where  L;  e  LH^  (circle  of  radius  R  centered 
at  O),  and  the  shaded  area  Ac  denotes  the  common  area  =  -As  n  A,,. 

Claim  5.2.  The  detection  probability  P{SG)  due  to  the  single  message ! sector 
per  locator  property  is  equal  to  the  probability  that  at  least  one  locator  lies  within 
an  area  of  size  Ac,  and  is  given  by 

P{SG)  —  1  —  with  Ac  =  2R^(j)  —  Rl  sin (p,  0  =  cos“^  (8) 

2x1 

with  I  as  the  distance  between  the  origin  point  and  the  sensor  under  attack. 
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Fig.  6.  Wormhole  detection  probability  based  on,  (a)  the  single  message/sector  per  locator  property, 
P(SG).  (b)  A  lower  bound  on  the  wormhole  detection  based  on  the  communication  range  violation 
property,  P{CR).  (c)  A  lower  bound  on  the  wormhole  detection  probability  for  SeRLoc. 


Proof.  If  a  locator  Li  lies  inside  Ac,  it  is  less  than  R  units  away  from  a 
sensor  s  and,  therefore,  Li  e  LH^ .  Locator  L;  is  also  less  than  R  units  away 
from  the  origin  point  of  the  attack  O,  and,  therefore,  Li  e  LH^.  Hence,  if  a 
locator  lies  inside  Ac,  LH^  n  LHf  ^  0,  and  the  attack  is  detected  due  to  the 
single  message/sector  per  locator  property  The  detection  probability  PiSG)  is 
equal  to  the  probability  that  at  least  one  locator  lies  within  Ac.  If  LHj^  denotes 
the  set  of  locators  located  within  area  Ac  then: 

PiSG)  =  P{\LHj^\ >  1)  =  1  -P{\LHa^  =  0)  =  1  (9) 

where  Ac  can  be  computed  from  Figure  4(b)  to  be: 

Ac —'2R‘^(j)  —  Rl  sincf),  </>  =  cos“^  (10) 

2ii 

with  Z  =  ||s  —  0||.  □ 

Figure  6(a)  presents  the  detection  probability  PiSG)  vs.  the  locator  density 
Pl  and  the  distance  ||s  —  0||  between  the  origin  point  and  the  sensor  under 
attack,  normalized  over  R.  We  observe  that  if  ||s  —  0||  >  2R,  then  Ac  —  0, 
and  the  use  of  the  single  message/sector  per  locator  property  is  not  sufficient  to 
detect  a  wormhole  attack.  For  distances  ||s  —  0||  >  2R,  a  wormhole  attack  can 
be  detected  using  the  following  communication  range  constraint  property. 

Communication  Range  Violation  Property.  Given  the  coordinates  of  node  s, 
all  locators  LHg  heard  by  s  should  lie  within  a  circle  of  radius  R,  centered  at  s. 
Since  node  s  is  not  aware  of  its  location,  it  relies  on  its  knowledge  of  the  locator- 
to-sensor  communication  range  R  to  verify  that  the  set  LHg  satisfies  Lemma  5.3. 

Lemma  5.3.  Communication  Range  Constraint  Property:  A  sensor  s  cannot 
hear  two  locators  Li,Lj  e  LHg,  more  than  2R  apart,  that  is,  \\Li  -  LjW  < 
2R,  WLi,  Lj  e  LHg. 

Proof.  Any  locator  Li  e  LHg  has  to  lie  within  a  circle  of  radius  R ,  centered 
at  the  sensor  s  (area  As  in  Figure  5(b)),  ||Li  —  s||  <  R,^Li  e  LHg.  Hence, 

||Lj  —  Lj  II  =  ||L^  —  s  "b  s  —  L j  II  <  ||L/  —  s  II  “b  ||s  —  Lj  ||  <  7?  -b  7?  =  2R .  (11) 

□ 
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Using  the  coordinates  of  LH^,  a  sensor  can  detect  a  wormhole  attack  if  the 
communication  range  constraint  property  is  violated.  We  now  compute  the  de¬ 
tection  probability  P(CR)  due  to  the  communication  range  constraint  property. 

Claim  5.4.  A  wormhole  attack  is  detected  due  to  the  communication  range 
constraint  property,  with  a  probability: 

PiCR)  >  (1  -  )^  A*  =  _  ^2  ^  (12) 

where  x  —  JhzOi  _ 

Proof.  Consider  Figure  5(b),  where  ||s  —  O  ||  =  2R .  If  any  two  locators  within 
As,  Ao  have  a  distance  larger  that  2R,  a  wormhole  attack  is  detected.  Though 
PiCR)  is  not  easily  computed  analytically,  we  can  obtain  a  lower  bound  on 
PiCR)  by  considering  the  following  event.  In  Figure  5(b),  the  vertical  lines 
defining  shaded  areas  Ai,Aj,  are  perpendicular  to  the  line  connecting  s,  O, 
and  have  a  separation  of  2R .  If  there  is  at  least  one  locator  L;  in  the  shaded 
area  A;  and  at  least  one  locator  Lj  in  the  shaded  area  Aj,  then  ||Lj  —Lj  ||  >  2R, 
and  the  attack  is  detected.  Note  that  this  event  does  not  include  all  possible 
locations  of  locators  for  which  ||Lj  —  Lj\\  >  2R,  and  hence  it  yields  a  lower 
bound.  If  C'HAi,Aj  denotes  the  event  i\LHAi  |  >  0  n  \LHaj  \  >  0)  then, 

PiCR)  =  Pi\\Li  -  Lj  II  >  2R,  Li,  Lj  e  LH^) 


>  P{CRr\CnA„A,)  (13) 

=  p  (Ci?  I  cnA„A,)  P{cnA„A,)  (14) 

=  p{cnA„Aj)  (15) 

=  (l_e-^iA)(i-g-^LA,), 


where  (13)  follows  from  the  fact  that  the  probability  of  the  intersection  of  two 
events  is  always  less  or  equal  to  the  probability  of  one  of  the  events;  (14)  follows 
from  the  definition  of  the  conditional  probability;  (15)  follows  from  the  fact 
that  when  CHAi,Aj  is  true,  we  always  have  a  communication  range  constraint 
violation  iPiCR  \  C7iAi,Aj)  =  1);  and  (16)  follows  from  the  fact  that  A^,  Aj  are 
disjoint  areas  and  that  locators  are  randomly  deployed. 

We  can  maximize  the  lower  bound  of  PiCR)  by  finding  the  optimal  values 
A*,  A* .  In  Appendix  2,  we  prove  that  the  lower  bound  in  (16)  attains  its  maxi¬ 
mum  value  when  A*  =  max^fAi},  subject  to  the  constraint  At  =  Aj  iAi,  Aj  are 
symmetric).  We  also  prove  that  A*,  A*  ,  are  expressed  by 

A*  =  A*  =  xyp2  _ ^2  -  i?2 tan-i  ( ,  andx  ^  lls- ^11 

-  R^  J  2 

Inserting  (17)  into  (16)  yields  the  required  result,  PiCR)  >  (1  —  )2,  □ 

In  Figure  6(b),  we  show  the  maximum  lower  bound  on  PiCR)  vs.  the  locator 
density  pL,  and  the  distance  ||s  —  0||  normalized  over  R.  The  lower  bound 
on  PiCR)  increases  with  the  increase  of  ||s  —  0||  and  attains  its  maximum 
value  for  ||s  —  0||  =  4P  when  Af  =  A*  =  nR'^.  For  distances  ||s  —  0||  > 
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AR  a  wormhole  attack  is  always  detected  based  on  the  communication  range 
constraint  property  since  any  locator  within  Ao  will  be  more  than  2i?  apart 
from  any  locator  within  Ag. 

Detection  Probability  P^et  of  the  Wormhole  Attack  Against  SeRLoc.  We  now 
combine  the  two  detection  mechanisms,  namely  the  single  message/sector  per 
locator  property  and  the  communication  range  constraint  property  for  comput¬ 
ing  the  detection  probability  of  a  wormhole  attack  against  SeRLoc. 

Claim  5.5.  The  detection  probability  of  a  wormhole  attack  against  SeRLoc 
is  lower  bounded  by  Pdet  >  (1  —  +  (1  —  e“^^-A’)2g-PL^c 

Proof.  In  the  computation  of  the  communication  range  constraint  property, 
by  setting  A;  =  Aj  and  maximizing  Ai  regardless  of  the  distance  ||s  —  0||, 
the  areas  A^,  Aj,  and  A^  do  not  overlap  as  shown  in  Figure  5(c).  Hence,  the 
corresponding  events  of  finding  a  locator  at  any  of  these  areas  are  independent 
and  we  can  derive  a  lower  bound  on  the  detection  probability  Pdet  by  combining 
the  two  properties. 

Pa^f  =  P{SG  U  CR)  =  PiSG)  +  P{CR)  -  P{SG)P{CR) 

=  P(SG)  +  P(CR){1-P{SG)) 

>  +  (18) 

The  left  side  of  (18)  is  a  lower  bound  on  Pdet  since  P(CR)  was  also  lower 
bounded.  □ 

In  Figure  6(c),  we  show  the  lower  bound  on  Pdet  vs.  the  locator  density  pl  and 
the  distance  ||s  —  0||  normalized  over  i? .  For  values  of  ||s  —  0||  >  AR,  Pcr  —  1 
since  any  Lj  e  LH^  will  be  more  than  2R  away  from  any  Lj  e  LHl  and  hence, 
the  wormhole  attack  is  always  detected.  From  Figure  6(c),  we  observe  that  a 
wormhole  attack  is  detected  with  a  probability  very  close  to  unity,  independent 
of  the  origin  and  destination  point  of  the  attack.  The  intuition  behind  (18) 
is  that  there  is  at  most  (1  —  Pdet)  probability  for  a  specific  realization  of  the 
network  to  have  an  origin  and  destination  point  where  a  wormhole  attack  would 
be  successful.  Even  if  such  realization  occurs,  the  attacker  has  to  acquire  full 
knowledge  of  the  network  topology  and,  based  on  the  geometry,  locate  the  origin 
and  destination  point  where  the  wormhole  link  can  be  established. 

Location  Resolution  Algorithm.  Although  a  wormhole  can  be  detected  using 
one  of  the  two  detection  mechanisms,  a  sensor  s  under  attack  cannot  distinguish 
the  set  of  locators  directly  heard  LH'^  from  the  set  of  locators  replayed  LH’^  and 
hence,  estimate  its  location.  To  resolve  the  location  ambiguity  sensor  s  executes 
th.e  Attach  to  Closer  Locator  Algorithm  (ACLA). 

Assume  that  a  sensor  authenticates  a  set  of  locators  LHs  —  LHf  ,  but 

detects  that  it  is  under  attack. 

Step  1.  Sensor  s  broadcasts  a  randomly  generated  nonce  rig  and  its  IDs- 

Step  2.  Every  locator  hearing  the  broadcast  of  sensor  s  replies  with  a  beacon 
that  includes  localization  information  and  the  nonce  ps,  encrypted  with  the 
pairwise  key  RP  instead  of  the  broadcast  key  Kq.  The  sensor  identifies  the 
locator  L-  that  replies  first  with  an  authentic  message  that  includes  ps- 
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Attach  to  Closer  Locator  Algorithm  (ACLA) 
s  :  broadcast  {  ||  ID^ } 

if  Li  hears  [  ||  ID^  }  reply 

Li-,  [ri,  II  (Xi,  Yi)  II  (01, 02)  II  (H-j{PWi))  II  j  II  IDl, 

L'i  :  first  authentic  reply  from  a  locator. 

LH^  —  [Li  e  LHs  :  sectorlLi]  intersects  sector{L'i]] 
s  :  execute  SeRLoc  with  LH^  —  LH^ 


Fig.  7.  The  pseudocode  of  ACLA. 


Step  3.  Sensor  s  identifies  the  set  LHf  as  all  the  locators  whose  sectors 
overlap  with  the  sector  of  L-,  and  executes  SeRLoc  with  LHg  —  LHf . 

The  pseudocode  of  ACLA  is  presented  in  Figure  7.  Note  that  the  closest 
locator  to  sensor  s  will  always  reply  first  if  it  directly  hears  the  broadcast  from 
s  and  not  through  a  replay  from  an  adversary.  In  order  for  an  adversary  to  force 
sensor  s  to  accept  set  as  the  valid  locator  set,  it  can  only  replay  the  nonce 
r]s  to  a  locator  Lj  e  LH^,  record  the  reply,  tunnel  via  the  wormhole,  and  replay 
it  in  the  vicinity  of  s.  However,  a  reply  from  a  locator  in  LH^  will  arrive  later 
than  any  reply  from  a  locator  in  LH^  since  locators  in  LH^  are  further  away 
from  s  than  locators  in  LHf . 

To  execute  ACLA,  a  sensor  must  be  able  to  communicate  bidirectionally  with 
at  least  one  locator.  The  probability  Ps^l  of  a  sensor  having  a  bidirectional  link 
with  at  least  one  locator,  and  the  probability  Ptd  that  all  sensors  can  bidirec¬ 
tionally  communicate  with  at  least  one  locator  can  be  computed  as: 


^l_e-PLnPGy  p  I  i_^-PLnPGy 


Hence,  we  can  select  the  system  parameters  pl,  G  so  every  sensor  has  a  bidi¬ 
rectional  link  with  at  least  one  locator  with  any  desired  probability 

5.2  Sybil  Attack 

Threat  Model.  In  the  Sybil  attack  [Douceur  2002;  Newsome  et  al.  2004],  an 
adversary  is  able  to  fabricate  legitimate  node  IDs  or  assume  the  IDs  of  existing 
nodes  in  order  to  impersonate  multiple  network  entities.  Unlike  the  wormhole 
attack,  in  the  Sybil  attack  model,  the  adversary  may  have  access  to  crypto¬ 
graphic  quantities  necessary  to  assume  node  IDs.  Hence,  the  adversary  can 
insert  bogus  information  into  the  network.  A  solution  for  the  Sybil  attack  for 
WSNs  was  recently  proposed  in  Newsome  et  al.  [2004]. 

Sybil  Attack  Against  SeRLoc.  In  SeRLoc,  sensors  do  not  rely  on  other  sensors 
to  compute  their  location.  Therefore,  an  attacker  has  no  incentive  to  assume 
sensor  IDs.  An  adversary  can  impact  SeRLoc  if  it  successfully  impersonates 
locators.  Since  sensors  are  preloaded  with  valid  locator  IDs  along  with  the  hash 
values  corresponding  to  the  head  of  the  reversed  hash  chain,  an  adversary  can 
only  duplicate  existing  locator  IDs  by  compromising  the  globally  shared  key  Kq. 

Once  Kq  has  been  compromised,  the  adversary  has  access  to  both  locators 
IDs,  the  hash  chain  values  published  by  the  locators  as  well  as  the  coordinates 
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of  the  locators.  Since  sensors  always  have  the  latest  published  hash  values  from 
the  locators  that  they  directly  hear,  an  adversary  can  only  impersonate  locators 
that  are  not  directly  heard  to  the  sensors  under  attack.  The  adversary  can 
generate  bogus  beacons,  attach  an  already  published  hash  value  from  a  locator 
not  heard  by  the  sensor  under  attack,  and  encrypt  it  with  the  compromised  Kq. 

Depending  on  the  type  of  locators  used,  static  or  mobile,  an  adversary  can  im¬ 
personate  locators  in  different  ways.  If  the  locators  are  static  and  their  location 
is  known  before  deployment,  the  coordinates  of  all  locators  can  be  preloaded  to 
every  sensor.  Hence,  the  adversary  cannot  advertise  a  location  that  is  differ¬ 
ent  from  the  actual  coordinates  of  an  impersonated  locator.  In  such  a  case,  the 
Sybil  attack  is  equivalent  to  a  replay  attack  since  the  adversary  cannot  alter 
the  content  of  the  beacons.^  If  the  locators  are  mobile,  or  their  coordinates  can¬ 
not  be  preloaded  to  the  sensors  before  deployment,  the  adversary  can  place  the 
impersonated  locators  to  arbitrary  positions.  Hence,  by  impersonating  a  higher 
number  of  locators  than  the  ones  directly  heard  by  the  sensor  under  attack,  the 
adversary  can  compromise  the  majority  vote  scheme  of  SeRLoc  and  displace 
the  sensor. 

Defense  Against  the  Sybil  Attack.  Though  we  do  not  provide  a  mechanism  to 
prevent  an  adversary  from  impersonating  locators  except  for  the  ones  directly 
heard  by  a  sensor,  we  can  still  determine  the  position  of  sensors  in  the  presence 
of  Sybil  attack.  In  the  case  where  sensors  know  a  priori  the  coordinates  of  the 
locators,  the  sensor  can  detect  the  Sybil  attack  with  the  same  mechanisms  used 
for  the  wormhole  attack  since  the  Sybil  attack  becomes  a  beacon  replay.  In  the 
case  where  the  coordinates  of  the  locators  are  not  preloaded  to  the  sensors,  an 
adversary  can  manipulate  the  coordinates  of  the  impersonated  locators  so  that 
neither  of  the  wormhole  defense  mechanisms  detect  an  anomaly.  The  adversary 
needs  to  impersonate  more  than  LHf  locators  in  order  to  displace  the  sensor  s. 
To  avoid  sensor  displacement,  we  propose  the  following  enhancement. 

Since  the  locator  density  pl  is  known  before  deployment,  we  can  select  a 
threshold  value  Lmax  as  the  maximum  allowable  number  of  locators  heard  by 
each  sensor.  If  a  sensor  hears  more  than  Lmax  locators,  it  assumes  that  it  is 
under  attack  and  executes  ALCA  to  determine  its  position.  The  probability 
that  a  sensor  s  hears  more  than  Lmax  locators  is  given  by 


P{\LHg\  >  Lmax)  —  1  ~  Pi\LHg\ 


^max  1 

<  Lmax))  =  1  -  'Yh 

i=0 


{pLnR^j 

i\ 


g-PL^Rf  (20) 


Using  (20),  we  can  select  the  value  of  Lmax  so  that  there  is  a  very  small 
probability  for  a  sensor  to  hear  more  than  Lmax  locators,  while  there  is  a  very 
high  probability  for  a  sensor  to  hear  more  than  locators.  If  a  sensor  hears 
more  than  Lmax  locators  without  being  under  attack,  the  detection  mechanism 
will  result  in  a  false  positive  alarm  and  force  the  sensor  to  execute  ACLA  to 
successfully  locate  itself  However,  if  a  sensor  hears  less  than  ,  the  sensor  is 
vulnerable  to  a  Sybil  attack.  Therefore,  we  must  select  a  threshold  Lmax  so  that 
any  sensor  hears  less  than  locators  with  a  probability  very  close  to  zero. 


^The  adversary  can  alter  the  angle  information  contained  in  the  beacon.  However,  this  is  equivalent 
to  replaying  the  beacon  of  another  sector. 
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P(|  LHs|>imax) 


Fig.  8.  P(,\LHs\  >  imax),  VS.  Lmax  for  Varying  locator  densities  pl- 

In  Figure  8,  we  show  Pi\LHs\  >  Lmax)  vs.  Lmax,  for  varying  locator  densities 
Pl  -  Based  on  Figure  8,  we  can  select  the  appropriate  Lmax  for  each  value  of  pl- 
For  example,  when  pL  —  0.03,  a  choice  of  Lmax  =  46  allows  a  sensor  to  localize 
itself  when  under  Sybil  attack  with  a  probability  P{\LHs\  >  23)  =  0.995,  while 
the  false  positive  alarm  probability  is  P{\LHs\  >  46)  =  0.1045. 

5.3  Compromised  Network  Entities 

In  this  section,  we  examine  the  robustness  of  SeRLoc  against  compromised 
network  entities.  We  consider  a  sensor  node  or  a  locator  node  to  be  compromised 
if  an  attacker  assumes  full  control  over  the  behavior  of  the  node  and  knows  all 
the  keys  stored  at  the  compromised  node. 

Compromised  Sensors.  Though  sensors  are  assumed  to  be  easier  to  compro¬ 
mise,  an  attacker  has  no  incentive  to  compromise  sensors  since  they  do  not 
actively  participate  in  the  localization  procedure.  The  only  benefit  in  compro¬ 
mising  a  sensor  is  to  gain  access  to  the  globally  shared  key  Ko. 

Compromised  Locators.  An  adversary  that  compromises  a  locator  Li  gains  ac¬ 
cess  to  the  globally  shared  key  Kq,  the  pairwise  keys  RP  that  the  compromised 
locator  shares  with  every  sensor,  as  well  as  all  the  hash  values  of  the  locator’s 
hash  chain.  By  compromising  a  single  locator,  the  adversary  can  displace  any 
sensor  by  impersonating  the  compromised  locator  from  a  position  closer  to  the 
sensor  under  attack  compared  to  the  closest  legitimate  locator.  The  adversary 
impersonates  multiple  locators  in  order  to  force  location  ambiguity  to  the  sensor 
under  attack.  Once  the  attack  is  detected,  sensor  s  executes  ACLA  to  resolve  its 
location  ambiguity.  Since  the  adversary  is  closer  to  the  sensor  s  than  the  closest 
legitimate  locator,  its  reply  will  arrive  to  s  first.  Hence,  s  will  assume  that  the 
impersonated  set  of  locators  is  the  valid  one  and  will  be  displaced. 

To  avoid  sensor  displacement  by  a  single  locator  compromise,  we  can  inten¬ 
sify  the  resilience  of  SeRLoc  to  locator  compromise  by  involving  more  than  one 
locators  in  the  location  resolution  algorithm  at  the  expense  of  higher  commu¬ 
nication  overhead.  A  sensor  s  under  attack  can  execute  the  Enhanced  Location 
Resolution  Algorithm  (ELRA)  that  follows. 
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Enhanced  Location  Resolution  Algorithm  (ELRA) 
s  :  broadcast  {  ris  ||  LHg  ||  IDg  } 

RLs  =  {Li  :  ||s  -  Li  II  <  Csl) 

RL,  :  broadcast  {  ||  LH,  ||  ID^  ||  (Xi,Yi)  ||  H''~^(PWi)  ||  j  ||  ID^ 

BLs  —  {Li  :  ||i?Ls  —  L/ll  <  r^L]  C^LHs 

BLs  :  broadcast  {  r]^  ||  iXi,Yi)  ||  (6»i,  6*2)  ||  H"-^^{PWi)  ||  j  ||  IDii 
s  :  collect  first  L^ax  authentic  beacons  from  BL^ 
s  :  execute  SeRLoc  with  collected  beacons 


Fig.  9.  The  pseudocode  for  the  Enhanced  Location  Resolution  Algorithm  (ELRA). 

Step  1.  Sensor  s  broadcasts  a  randomly  generated  nonce  r]s,  the  set  of  locators 
heard  LHg,  and  its  IDg. 

s  :  {r]s  II  LHg  ||  IDg}.  (21) 

Step  2.  Every  locator  L;  receiving  the  broadcast  from  s  appends  its  coordi¬ 
nates,  the  next  hash  value  of  its  hash  chain  and  its  ID^. ,  encrypts  the  message 
with  Kq,  and  rebroadcasts  the  message  to  all  sectors. 

Li  :  {;7sll  LHs  II  IDs  II  (Xi,  Y;)  ||  H^-\PWi)  ||  j  \\IDLi}K,.  (22) 

Step  3.  Every  locator  receiving  the  rebroadcast,  verifies  the  authenticity  of 
the  message,  and  that  the  transmitting  locator  is  within  its  range.  If  the  verifi¬ 
cation  is  correct  and  the  receiving  locator  belongs  to  LHg,  the  locator  broadcasts 
a  new  beacon  with  location  information  and  the  nonce  r]s  encrypted  with  the 
pairwise  key  with  sensor  s. 

Li  :  {r^s  II  (Xi,  Yi)  ||  (0i,  62)  ||  H’^-^PWi)  ||  j  ||  ■  (23) 

Step  4.  The  sensor  collects  the  first  Lmax  authentic  replies  from  locators  and 
executes  SeRLoc  with  LHs  = 

The  pseudocode  for  the  enhanced  location  resolution  algorithm  is  presented 
in  Figure  9.  Note  that  for  a  locator  to  hear  the  sensor’s  broadcast,  it  has  to 
be  within  a  range  Vsl  —  rG^  from  the  sensor.  Furthermore,  in  order  for  a  the 
sensor  to  make  the  correct  location  estimate,  all  locators  within  a  range  R  from 
s  need  to  provide  new  beacon  information. 

Claim  5.6.  Every  locator  positioned  within  R  from  a  sensor  s  is  within  the 
range  of  any  locator  positioned  at  a  distance  rsL  from  the  sensor  s. 

Proof.  For  any  locator  positioned  at  a  distance  rsL  from  the  sensor  s  to  reach 
any  locator  positioned  at  a  distance  R  from  sensor  s,  the  following  condition 
has  to  hold:  r^L  >R+rsL-  Substituting  the  expressions  for  the  communication 
ranges  from  Table  I. 

RG^y  >R +rGy  ^  (24) 

rGy 

2  2 

Since  R  >  rGy  by  assumption,  and  G>'  >  1,  the  left  side  of  (24)  is  always 
greater  than  one.  □ 
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Each  beacon  broadcast  from  a  locator  has  to  include  the  nonce  r]s  initially 
broadcasted  by  the  sensor  and  be  encrypted  with  the  pairwise  key  between  the 
sensor  and  the  locator.  Hence,  given  that  the  sensor  has  at  least  locators 
within  range  R  with  very  high  probability  (see  Figure  8),  the  adversary  has 
to  compromise  at  least  +  1)  locators  in  order  to  compromise  the  majority 
vote  scheme  of  SeRLoc.  In  addition,  the  attacker  has  to  possess  the  hardware 
capabilities  to  process  and  transmit  +  1)  replies  before  replies  from 
valid  locators  reach  the  sensor  under  attack.  Our  enhanced  location  resolution 
algorithm  significantly  increases  the  resilience  of  SeRLoc  to  locator  compromise 
at  the  expense  of  higher  communication  overhead  at  the  locators. 

6.  PERFORMANCE  EVALUATION 

In  this  section,  we  compare  the  performance  of  SeRLoc  with  state-of-the-art  lo¬ 
calization  techniques,  namely  DV-Hop  [Niculescu  and  Nath  2001],  Amorphous 
localization  [Nagpal  et  al.  2003],  Centroid  localization  [Bulusu  et  al.  2000], 
APIT  [He  et  al.  2003],  and  its  theoretical  ideal  version  PIT  [He  et  al.  2003]. 
Based  on  our  simulations,  we  show  that  SeRLoc  has  superior  performance  in  lo¬ 
calization  accuracy  and  requires  significantly  fewer  resources  than  other  meth¬ 
ods.  Since  we  did  not  implement  SeRLoc  and  the  other  localization  schemes  in  a 
real  environment,  our  results  and  conclusions  hold  for  the  assumptions  made  in 
the  simulation.  To  emulate  the  conditions  of  a  real  deployment,  we  also  evalu¬ 
ated  SeRLoc  under  error  in  the  locators’  coordinates  and  false  estimation  of  the 
antenna  sector  that  includes  the  sensors  and  empirically  showed  that  SeRLoc 
is  robust  against  both  sources  of  error. 

6.1  Simulation  Setup 

We  randomly  distributed  5,000  sensors  within  a  100  x  lOOm^  rectangular  area. 
We  also  randomly  placed  locators  within  the  same  area  and  computed  the  av¬ 
erage  localization  error  as 


|S|  ^ 


(25) 


where  S  is  the  set  of  sensors,  Si  is  the  sensor  estimated  position,  s;  is  the  real 
position,  and  r  is  the  sensor-to-sensor  communication  range. 


6.2  Locaiization  Error  vs.  Locators  Heard 

In  our  first  experiment,  we  investigated  the  impact  of  the  average  number  of 
locators  heard  LH  in  the  localization  error.  In  order  to  provide  a  fair  compari¬ 
son  of  SeRLoc  with  other  methods,  we  normalize  LH  for  SeRLoc  by  multiplying 
LH  with  the  number  of  sectors  used.  For  example,  when  LH  —  9,  with  SeRLoc 
using  three  sectors,  we  deployed  one  third  of  the  locators  for  SeRLoc  compared 
to  other  methods.  Given  the  size  of  the  deployment  region  A  and  the  com¬ 
munication  range  R,  one  can  compute  the  absolute  value  of  the  number  of 
locators  |L|  that  need  to  be  deployed  in  order  to  achieve  a  specific  LH  via  the 


ACM  Transactions  on  Sensor  Networks,  Vol.  1,  No.  1,  August  2005. 


94 


L.  Lazos  and  R.  Poovendran 


Avg.  LE  for  randomly  distributed  sensor  networks 


(a) 


Avg.  LE  for  different  number  of  antenna  sectors  M 


(b) 


Fig.  10.  (a)  Average  localization  error  LE  vs.  average  number  of  locators  heard  LH  for  a  network 
of  |Ai|  =  5, 000  and  locator-to-sensor  ratio  y  =  10.  (b)  LE  vs.  LH  for  varying  antenna  sectors. 


Cumulative  Distribution  Function  of  Localization  Error 


(a) 


Cumulative  Distribution  Function  of  Localization  Error 


Fig.  11.  The  cumulative  distribution  function  (cdf)  of  the  localization  error  of  SeRLoc  when  M  =  3 
and  (a)  LE  =  4,  (h)LH  =  8. 


formula 

|L|  =  ^LH.  (26) 

In  Figure  10(a),  we  show  the  LE  vs.  LH  with  SeRLoc  using  three  sectors 
and  y  =  10.  We  observe  that  in  terms  of  location  estimation  alone,  SeRLoc  is 
superior  to  all  other  range-independent  algorithms  compared  [Niculescu  and 
Nath  2001;  Nagpal  et  al.  2003;  Bulusu  et  al.  2000;  He  et  al.  2003].  Note  that 
SeRLoc  achieves  a  localization  error  of  0.5r,  with  very  few  locators  {LH  —  12 
which  is  equivalent  to  four  locators  with  3-sectored  antennas).  To  achieve  LE  = 
0.5r,  we  need  a  locator  density  of  pl  =  =  0.0032  locators/m^  for  R  =  20m. 

In  Figures  11(a)  and  (b),  we  show  the  cumulative  distribution  function  (cdf) 
of  the  localization  error  for  SeRLoc  when  3-sector  antennas  are  used  at  the 
locators,  and  the  average  number  of  locators  heard  are  LH  —  6  and  LH  —  8, 
respectively  We  observe  that  for  LH  —  4,  the  error  is  more  evenly  distributed 
among  its  possible  values  with  90%  of  the  sensors  having  an  error  of  less  than 
1.2r,  while  for  LH  —  8,  more  than  90%  of  the  sensors  have  an  error  smaller 
than  0.7r. 
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Avg.  LE  VS.  SE  -  8-sector  antenna 


Avg.  LE  vs.  SE  -  LH=10 


(a) 


(b) 


Fig.  12.  (a)  LE  vs.  sector  error  (SE)  for  varying  LH.  (b)  Average  localization  error  LE  vs.  SE  for  a 
varying  number  of  antenna  sectors  for  a  network  of  |S|  =  5,  000  and  y  =  10. 


The  highest  localization  error  occurs  when  a  sensor  hears  only  one  locator 
Li  and  is  R  units  away  from  L; .  The  probability  for  such  an  event  to  occur  can 
be  set  to  an  arbitrary  small  value  by  deploying  a  sufficient  number  of  locators. 
For  example,  when  LH  —  8,  the  probability  for  a  sensor  to  hear  just  one  locator 
is  P{\LH\  =  1)  =  2.7  X  10-^ 


6.3  Localization  Error  vs.  Antenna  Sectors 

In  our  second  experiment,  we  examined  the  impact  of  the  number  of  antenna 
sectors  M  on  the  average  localization  error  LE.  In  Figure  10(b),  we  show  the 
LE  vs.  LH  for  a  varying  number  of  antenna  sectors.  We  can  observe  that  for 
LH  —  3,  the  LE  is  comparable  for  all  values  of  M.  However,  as  the  value  of  LH 
increases,  the  LE  decreases  more  rapidly  for  higher  number  of  antenna  sectors 
due  to  the  fact  that  the  overlapping  region  becomes  smaller  when  the  antenna 
sectors  become  narrower. 

The  gain  in  the  localization  accuracy  comes  at  the  expense  of  hardware  com¬ 
plexity  at  the  locator  since  more  complex  antenna  designs  have  to  be  employed 
to  generate  the  sectoring.  Additionally,  errors  in  the  estimation  of  the  antenna 
sector  where  a  sensor  is  included  become  more  frequent  since  more  sensors  are 
located  at  the  boundary  between  two  sectors. 

6.4  Localization  Error  vs.  Sector  Error 

Sensors  may  be  located  close  to  the  boundary  of  two  sectors  of  a  locator  or  be 
deployed  in  a  region  with  high  multipath  effects.  In  such  a  case,  a  sensor  may 
falsely  assume  that  it  is  located  in  another  sector  than  the  actual  sector  that 
includes  it.  We  refer  to  this  phenomenon  as  sector  error  {SE)  and  define  it  as 

#  of  sectors  falsely  estimated 
SE= - — - .  (27) 

A  sector  error  of  0.5  indicates  that  every  sensor  falsely  estimated  the  sectors  of 
half  the  locators  heard.  In  Figure  12(a),  we  show  the  LE  vs.  the  SE  for  varying 
LH  and  8-sector  antennas.  We  observe  that  the  LE  does  not  grow  significantly 
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Avg.  LE  vs.  GPSE  -  8-sector  antenna 


Fig.  13.  (a)  LE  vs.  locator  GPS  error  in  units  of  r  for  a  varying  average  number  of  locators  heard 
by  LH.  (b)  Communication  cost  vs.  LH  for  a  network  of  200  sensors. 


large  (larger  than  the  sensor  communication  range  r)  until  a  fraction  of  0.7  of 
the  sectors  are  falsely  estimated. 

SeRLoc  algorithm  is  resilient  to  sector  error  due  to  the  majority  vote  scheme 
employed  in  the  determination  of  the  overlapping  region.  Even  if  a  significant 
fraction  of  sectors  are  falsely  estimated,  these  sectors  do  not  overlap  in  the  same 
network  area  and  hence  a  score  low  in  the  grid-sector  table. 

Note  that  for  aSE  >  0.7,  LE  increases  with  LH.  When  the  SE  grows  beyond 
a  threshold,  the  falsely  estimated  sectors  dominate  in  the  location  determi¬ 
nation.  As  LH  grows,  the  falsely  estimated  overlapping  region  shrinks  due  to 
the  higher  number  of  overlapping  sectors.  Therefore,  the  CoG  that  defines  the 
sensor  estimated  location  gets  further  apart  than  the  actual  sensor  location. 

In  Figure  12(b),  we  show  the  LE  vs.  SE  for  LH  —  10  and  a  varying  number  of 
antenna  sectors.  We  observe  that  the  narrower  the  antenna  sector,  the  smaller 
the  LE  even  in  the  presence  of  SE.  For  a  small  SE,  the  overlapping  region  is 
dominated  by  the  correctly  estimated  sectors  and  shrinks  with  increasing  an¬ 
tenna  sectors.  For  large  SE,  the  overlapping  region  is  dominated  by  the  falsely 
estimated  sectors  and  an  increase  in  LH  does  not  reduce  the  LE . 

Summarizing  our  findings  for  the  sector  error,  we  note  that  SeRLoc  is  re¬ 
silient  to  sector  error  due  to  the  majority  vote  mechanism  employed  in  the 
overlapping  region  determination. 

6.5  Localization  Error  vs.  GPS  Error 

GPS,  or  any  alternative  localization  scheme  used  to  provide  locators  with  their 
location  may  have  limited  accuracy.  To  study  the  impact  of  the  error  in  the 
locators’  position  on  LH,  we  induced  a  GPS  error  {GPSE)  to  every  locator  of  the 
network.  A  value  of  GPSE  —  r  means  that  every  locator  was  randomly  placed 
at  a  circle  of  radius  r,  centered  at  the  locator’s  actual  position. 

In  Figure  13(a),  we  show  the  average  localization  error  LE  vs.  the  GPSE  in 
units  of  r ,  for  a  varying  number  of  LH  when  locators  use  8-sector  antennas.  We 
observe  that  even  for  a  large  GPSE  the  LE  does  not  grow  larger  than  1.2r.  For 
example,  when  GPSE  —  1.8r  andL/f  =  3,  LE  —  l.lr.  Accordingto  Figure  10(a), 
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DV-hop  and  amorphous  localization  require  LH  =  5  to  achieve  the  same  per¬ 
formance  in  the  complete  absence  of  GPSE,  while  APIT  requires  LH  —  12  to 
reduce  the  LE  =  l.lr  with  no  GPSE  induced  in  the  locators’  positions.  Note 
that  once  the  GPSE  error  becomes  significantly  large  (over  1.6r),  an  increase 
in  LH  does  not  improve  the  accuracy  of  the  location  estimation. 

6.6  Communication  Cost  vs.  Locators  Heard 

In  this  section,  we  analyse  the  communication  cost  of  SeRLoc  and  compare 
it  with  the  communication  cost  of  the  existing  range-independent  localization 
algorithms.  In  Figure  13(b),  we  show  the  communication  cost  in  number  of 
transmitted  messages  vs.  LH  when  200  sensors  are  randomly  deployed. 

We  observe  that  DV-hop  and  Amorphous  localization,  have  significantly 
higher  communication  cost  compared  to  all  other  algorithms  due  to  the  flood- 
based  approach  for  the  beacon  propagation.  The  centroid  scheme  has  the  lowest 
communication  cost  (|L|)  since  it  only  transmits  one  beacon  from  each  locator 
to  localize  the  sensors.  APIT  requires  \L\  +  |S|  beacons  to  localize  the  sensors, 
while  SeRLoc  requires  M\L\  number  of  beacons  where  L  is  the  set  of  locators 
and  M  is  the  number  of  antenna  sectors. 

Under  the  assumption  that  the  number  of  sensors  is  much  higher  than  the 
number  of  locators,  (for  |S|  »  |L|,  |L|-|-|S|  >  M\L\)  SeRLoc  has  a  smaller 
communication  cost  than  APIT  since  SeRLoc  is  independent  of  the  number  of 
sensors  deployed.  In  addition,  the  theoretical  upper  bound  of  the  performance 
of  APIT  is  given  by  PIT  [He  et  al.  2003].  The  APIT  will  achieve  the  performance 
of  PIT  when  the  sensor  density  Ps  is  sufficiently  high.  From  Figure  10(a),  we  ob¬ 
serve  that  in  the  simulation  scenarios  considered  (random  locator  deployment), 
SeRLoc  outperforms  PIT  and  hence,  also  the  APIT  in  average  localization  error 
for  all  values  of  LH.  The  increased  localization  accuracy  and  lower  communica¬ 
tion  cost  of  SeRLoc  compared  to  other  algorithms  comes  at  the  expense  of  more 
complex  hardware  since  locators  need  to  be  equipped  with  sectored  antennas. 

7.  CONCLUSION 

We  introduced  the  problem  of  secure  localization  in  WSNs  and  proposed  a 
range-independent,  decentralized  localization  scheme  called  SeRLoc  that  al¬ 
lows  sensors  to  determine  their  location  in  an  untrusted  environment.  We  also 
analytically  evaluated  the  probability  of  sensor  displacement  due  to  security 
threats  in  WSNs  such  as  the  wormhole  attack,  the  Sybil  attack,  and  compro¬ 
mise  of  network  entities  and  showed  that  SeRLoc  provides  accurate  location 
estimation  even  in  the  presence  of  these  threats.  In  doing  so,  we  used  the  geo¬ 
metric  and  radio  range  information  to  detect  the  attacks  on  localization  scheme. 
Our  simulation  studies  also  show  that  SeRLoc  localizes  sensors  with  higher 
accuracy  than  state-of-the-art  range-independent  localization  schemes,  while 
requiring  fewer  reference  points  and  lower  communication  cost.  Furthermore, 
our  simulation  studies  showed  that  SeRLoc  is  resilient  to  sources  of  error  such 
as  location  error  of  reference  points  as  well  as  error  in  the  sector  determina¬ 
tion.  Statistical  analysis  and  characterization  of  the  SeRLoc  estimator  will  be 
a  future  area  of  research. 
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Fig.  14.  Computing  the  maximum  lower  bound  on  P{CR). 


APPENDIXES 

1 .  CHOOSING  THE  SYSTEM  PARAMETERS 

Probability  of  hearing  more  than  k  locators.  Since  locators  are  random^  de¬ 
ployed,  the  probability  for  a  locator  to  be  in  an  area  of  size  is  =  ^ .  In 
addition,  the  random  locator  deployment  implies  statistical  independence  be¬ 
tween  locators  being  within  a  network  region  Ag .  Hence,  the  probability  that 
exactly  k  locators  are  in  Ag  is  given  by  the  binomial  distribution. 

Pik  e  A^)  =  (28) 

For  |L|  »  1  and  A»  Ag  we  can  approximate  the  binomial  distribution  with  a 
Poisson  distribution: 


P(^  e  A„)  =  (29) 

^  k\  kl 

By  letting  Ag  =  we  can  compute  the  probability  of  having  exactly^  locators 

inside  a  circle  of  radius  R ,  centered  at  the  sensor. 

P(|LH,|  =  ^)  =  (30) 

k\ 

Using  (30),  we  compute  the  probability  that  every  sensor  hears  at  least  k  lo¬ 
cators.  The  random  sensor  deployment  implies  statistical  independence  in  the 
number  of  locators  heard  by  each  sensor  and  hence: 

1^1 

P(|LH,|>^,Vs)^(l-P(|LH,|<^))i^i  ^  ^1  -  E  .  (31) 

2.  MAXIMIZING  THE  LOWER  BOUND  ON  P{CR) 

The  lower  bound  on  detection  probability  based  on  the  communication  range 
constraint  property  is  given  by 


PiCR)  >  (l-e-^^"^‘)(l-e-^^^U.  (32) 
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We  want  to  compute  the  values  of  A*,  A*  that  maximize  the  right  side  of  (32). 
From  Figure  14, 


Aiix)  = 


Jr 


Ajix)  = 


where  I  —  ||s  —  0||.  Since,  both  Ai,Aj  are  expressed  as  function  of  x,  the  lower 
hound  LBix)  on  P(CR)  can  he  expressed  as 

LB(x)  =  (1  -  (34) 


To  maximize  LB{x),  we  differentiate  over  x  and  set  the  derivative  equal  to  zero: 


LB'ix)  =  pLA;(x)e-^^^‘'^^  +  PLA;,.(x)e-^^^^'*^ 

-  pl(A;(x)  + 

+  pz.A}(x)(e-^^^^^^'  -  ^  q_  (35) 


A  trivial  solution  to  LB'ix)  =  0  is  A^x)  =  0,  or  Aj(x)  =  0,  hut  both  yield  a 
minimum  rather  than  a  maximum  [LBix)  —  0).  However  if  we  set  A;(x)  =  Ajix), 
from  (33),  we  obtain  i? +x —Z  —  R  —x  ^  x  —  ^2  -  In  addition,  differentiating  (33) 
with  respect  to  x  and  evaluating  (33)  at  x  =  ^  yields  AJ(g)  =  — Aj(g).  Hence,  for 
Adx)  =  Ajix),  LB'ix)  =  0,  and  the  maximum  value  on  the  lower  bound  LBix) 
is  achieved.  The  values  of  Ai,Aj  that  maximize  LBix)  are 


A*(x)  =  2 


'R‘^  —  z‘^dz  —  XV  —  x^  —  tan 
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